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REMARKS 

Claims 1-31 are currently pending. No claims are added, amended, or cancelled in this 
paper. Claims 1,9, 17, and 24 are independent claims. For at least the reasons set forth below, all 
pending claims are believed to be in condition for allowance. 

In the Office Action, claims 1, 4, 9, 12, 17-19, 24, and 27 were rejected under 35 U.S.C. § 
103(a) as allegedly unpatentable over Applicants' Background of the Invention, U.S. Patent 
Application Publication No. 20020138416 ("Applicants' Background"), in view of U.S. Pat. No. 
6,266,655 to Kalyan ("Kalyan"). Claims 2, 3, 5-8, 10, 11, 13-16, 20-23, 25-26, and 28-31 were 
rejected under 35 U.S.C. § 103(a) as allegedly unpatentable over Applicants' Background in view of 
Kalyan, further in view of U.S. Patent Application Publication No. 20020091699 ("Norton"). 

In view of the following arguments, all claims are believed to be in condition for allowance 
over the references of record. Therefore, this response is believed to be a complete response to the 
Office Action. However, Applicants reserve the right to set forth further arguments supporting the 
patentability of their claims, including the separate patentability of the dependent claims not 
explicitly addressed herein, in future papers.' Further, for any instances in which the Examiner took 
Official Notice in the Office Action, Applicants expressly do not acquiesce to the taking of Official 
Notice, and respectfully request that the Examiner provide an affidavit to support the Official Notice 
taken in the next Office Action, as required by 37 CFR 1.104(d)(2) and MPEP § 2144.03. 



' As Applicants' remarks with respect to the Examiner's rejections are sufficient to overcome these rejections, 
Applicants' silence as to assertions by the Examiner in the Office Action or certain requirements that may be applicable 
to such rejections (e.g., whether a reference constitutes prior art, motivation to combine references, assertions as to 
dependent claims, etc.) is not a concession by AppUcants that such assertions are acciUBte or such requirements have 
been met, and Applicants reserve the right to analyze and dispute such assertions/requirements in the fiiture. 
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I. Claim Rejections - 35 U.S.C. § 103. 

A. Independent Claims 1, 9, 17, and 24 Are Patentable Over Applicants' 
Background And Kalyan. 

The Examiner asserted that independent claims 1,9, 17, and 24 are obvious and therefore 
unpatentable over Applicants' Background, combined with the Kalyan reference cited by the 
Examiner in response to Applicants' request for support of the Examiner's Official Notice. 
However, the Kalyan reference fails to teach or suggest the recitations for which it was cited. 
Moreover, Applicants' Background is merely background information, and does not teach or 
suggest, and in fact teaches away from, numerous recitations found in Applicants' claims, discussed 
in detail below. 

1. "wherein each asset is defined to be one of an electronic asset type 
and a location asset type . . . and the location asset type includes 
physical locations where the electronic asset types are placed." 

Independent claims 1,9, 17, and 24 each recite in part "inventorying a plurality of assets of 
the organization, wherein each asset is defined to be one of an electronic asset type and a location 
asset type . . . and the location asset type includes physical locations where the electronic asset types 
are placed." The Examiner alleged that the "Inventory and definition" section of Applicants' 
Background teaches this recitation. (Office Action, page 3.) In the Examiner's Response to 
Arguments, the Examiner further stated that "the assets that are determined by the organization 
encompass all asset types," and that "Paragraph 0015 of applicant's background of the invention 
clearly states that the organization determines its assets which obviously include location and 
electronic asset types." (Office Action, page 6.) However, Applicants' Background fails to teach or 
suggest "a location asset type [that] includes physical locations where the electronic asset types are 
placed" as recited by independent claims 1,9, 17, and 24. 

Paragraph 15 of Applicants' Background states that an "organization determines its assets 
(e.g., electronic devices, electronically stored data, etc.) that are involved in support of critical 
processes." (Applicants' Background: page 4, lines 11-13.) Applicants' Background further states 
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that there are "a number of conventional automated tools [that] can assist the organization in 
accomplishing this phase of the process." (Applicants' Background: page 4, lines 17-18.) 
However, Applicants' Background says nothing at all about a location asset type that includes the 
physical location of an electronic asset. Also, Apphcants' Background does not teach or suggest 
that each asset is defined to be one of an electronic asset type and a location asset type. 

In fact, paragraph 19 of Applicants' Background teaches away from the Examiner's 

interpretation of paragraph 15. Paragraph 19 of Applicants' Background states: 

There are a number of tools available to electronically scan 
electronic devices and assess vulnerabilities within electronic devices. 
While tools of this nature arc useful in identifying top vulnerabilities 
related to platform and/or service configurations, the tools cannot 
identify vulnerabilities within platforms or services not visible to the 
scan. Furthermore, these tools do not permit the user to create 
relationships between the asset at risk and its environment ("i.e.. other 
devices to which the asset connects, the physical location in which a 
device resides, or the network on which it participates.) Without the 
creation of these relationships, it is ineffective in properly measuring 
the impact of a risk or appropriately choosing effective controls. 

(Specification, paragraph 19; emphasis added.) In fact, the emphasized section of paragraph 19 

clearly states that there is no teaching of "a location asset type [that] includes physical locations 

where the electronic asset types are placed" as recited by claims 1,9, 17, and 24. Thus, Applicants' 

Background in fact teaches away from these recitations of Applicants' claims. 

Because Applicants' Background fails to teach or suggest and in fact teaches away from 
"inventorying a plurality of assets of the organization, wherein each asset is defined to be one of an 
electronic asset type and a location asset type . . . and the location asset type includes physical 
locations where the electronic asset types are placed," the rejections of claims 1,9, 17, and 24, and 
the claims depending therefrom, should be withdrawn. 
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2. "identifying at least one criterion defining a security objective of 
the organization." 

Independent claims 1,17, and 24 further recite in part "identifying at least one criterion 
defining a security objective of the organization," while claim 9 recites in part "identifying a 
plurality of criteria, each criterion defining a security objective of the organization." The Examiner 
alleged that the "Vulnerability and threat evaluation" section of Applicants' Background teaches 
these recitations. (Office Action, pages 3 and 6.) However, Applicants' Background not only fails 
to teach or suggest at least these recitations of claims 1,9, 17, and 24, but Applicants' Background 
also teaches away from "identifying at least one criterion defining a security objective of the 
organization" and "identifying a plurality of criteria, each criterion defining a security objective of 
the organization." 

Applicants' Background teaches that there are many criteria and sets of criteria available to 
use for vulnerability and threat evaluation. For example, auditors can use any of the following sets 
of criteria: Common Criteria from Decisive Analytics; Orange Book from the U.S. Department of 
Defense; COBIT from the Information Systems Audit and Control Foundation; and SAS 70 from 
the U.S. Security and Exchange Commission. (AppUcants' Background: page 4, lines 17-23.) Each 
set of criteria in tum contains many criteria available for use. Applicants' Background says nothing 
at all about " identifying at least one criterion defining a security objective of the organization" or 
" identifying a plurality of criteria , each criterion defining a security objective of the organization." 
(Emphasis added.) 

Further, Applicants' Background states that "[vjulnerability and threat assessment is 
t3q)ically performed by an internal audit department or third party auditor using a set of assessment 
criteria," where "[c]riteria represent a standard of practice which should be met in order to assure 
effective security." (Applicants' Background: page 5, lines 4-7.) However, "standard of practice" 
"assessment criteria" do not teach or suggest "identifying at least one criterion defining a security 
objective of the organization ." (Emphasis added.) In contrast, at most Applicants' Background 
teaches using a pre-defined set of criteria, as opposed to "identifying at least one criterion defining a 
security objective of the organization ." (Emphasis added.) Therefore, Applicants' Background 
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actually teaches away from "identifying at least one criterion defining a security objective of the 
organization." Similarly, Applicants' Background teaches away from "identifying a plurality of 
criteria, each criterion defining a security objective of the organization." 

Because Applicants' Background not only fails to teach or suggest "identifying at least one 
criterion defining a security objective of the organization" and "identifying a plurality of criteria, 
each criterion defining a security objective of the organization," but also teaches away from these 
recitations, the rejections of claims 1,9, 17, and 24, and the claims depending therefrom, should be 
withdrawn. 

3. "identifying one or more inventoried assets that relate to the identified 
criterion." 

Independent claims 1, 9, and 24 fiirther recite in part "identifying one or more inventoried 
assets that relate to the identified criterion." Independent claim 17 recites in part "to identify one or 
more inventoried assets that relate to the identified criterion." The Examiner alleged that the 
"Inventory and definition" section of Applicants' Background teaches these recitations. (Office 
Action, page 3.) However, Applicants' Background says nothing at all about "identifying one or 
more inventoried assets that relate to the identified criterion" or "to identify one or more inventoried 
assets that relate to the identified criterion." Therefore, Applicants' Background also fails to teach 
or suggest at least these recitations of claims 1, 9, 17, and 24. Further, Applicants' Background 
actually teaches away from these recitations 

Applicants' Background says nothing at all about "identifying one or more inventoried 
assets that relate to the identified criterion." The Examiner relied on the statement that "[o]nce 
assets have been identified, a value is assigned to each asset" as disclosing the claim recitation. 
(Applicants' Background: page 4, lines 13-14.) As stated in Applicants' Background, "[t]his value 
is not only monetary, but also may be tied to loss of reputation or loss of trust." (Applicants' 
Background: page 4, lines 14-15.) The Background says nothing at all about identifying an asset 
that relates to the identified criterion . 
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Further, Applicants' Background teaches away from "identifying one or more inventoried 
assets that relate to the identified criterion." Applicants' Background states that "the organization 
determines its assets . . . [then] a value is assigned to each asset." (Applicants' Background: page 4, 
lines 11-14.) To examine the organization for weaknesses that could be exploited by an 
unauthorized outsider, a vulnerability and threat assessment is performed by an auditor, where the 
auditor uses a set of assessment criteria to evaluate if vulnerabilities exist. (Applicants' 
Background: page 5, lines 1-9.) Such a teaching is contrary to "identifying one or more inventoried 
assets that relate to the identified criterion." Therefore, if Applicants' Background is at all relevant, 
it actually teaches away from "identifying one or more inventoried assets that relate to the identified 
criterion." 

In the Examiner's Response to Arguments, the Examiner repeated that the Applicants' 
Background "teaches identifying assets and assigning a value to each asset." (Office Action, page 
6.) Although Applicants' Background states that "the organization determines its assets . . . [then] a 
value is assigned to each asset," Applicants respectfully disagree that this statement reads on 
"identifying one or more inventoried assets that relate to the identified criterion" as recited by 
Applicants' claims 1, 9, and 24. (Applicants' Background: page 4, lines 11-14.) Claims 1, 9, and 
24 do not merely recite "identifying assets and assigning a value to each asset." (Office Action, 
page 6.) In contrast, claims 1, 9, and 24 recite "identifying one or more inventoried assets that 
relate to the identified criterion ." (Emphasis added.) As argued above, Applicants' Background 
simply contains no such teaching or suggestion. At most, Applicants' Background merely discloses 
to assign a value to each asset without any relation to any identified criterion. 

Because Applicants' Background not only fails to teach or suggest "identifying one or more 
inventoried assets that relate to the identified criterion," but also teaches away from this recitation, 
the rejections of claims 1, 9, and 24, and the claims depending therefrom, should be withdrawn. For 
similar reasons, the rejection of claim 17, and the claims depending therefrom, should be 
withdrawn. 
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4. "assessing the risk to the organization based on the measured values of 
the one or more metric equations." 

Independent claims 1 and 24 further recite in part "assessing the risk to the organization 
based on the measured values of the one or more metric equations." Independent claims 9 and 17 
further recite in part "to assess the risk to the organization based on the measured values of the one 
or more metric equations." The Examiner alleged that Apphcants' Background paragraph 24 
teaches these recitations, and relied on the statement that "[o]nce risk has been assessed and 
identified, the organization can choose to accept the risk, mitigate the risk, or transfer the risk." 
(Office Action, pages 3 and 6.) However, Applicants' Background also fails to teach or suggest at 
least these recitations of claims 1,9, 17, and 24. 

Applicants' Background states that "[o]nce risk has been assessed and identified, the 
organization can choose to accept the risk, mitigate the risk, or transfer the risk." (Applicants' 
Background, paragraph 24.) Applicants' Background says nothing at all about "assessing the risk to 
the organization based on the measured values of one or more metric equations." In fact, 
Applicants' Background does not in any way suggest use of metric equations at all, much less 
"measured values of the one or more metric equations." 

Because Applicants' Background fails to teach or suggest "assessing the risk to the 
organization based on the measured values of the one or more metric equations" the rejections of 
claims 1 and 24, and the claims depending therefrom, should be withdrawn. For similar reasons, the 
rejections of claims 9 and 17, and the claims depending therefrom, should be withdrawn. 

5. "formulating one or more metric equations for each identified 
criterion." 

Independent claims 1, 9, and 24 further recite in part "formulating one or more metric 
equations for each identified criterion." Independent claim 17 further recites in part "to formulate 
one or more metric equations for each identified criterion." In the Office Action, the Examiner 
stated that: 
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Kalyan discloses the formulating and solving of equations for 
identified criteria (see the abstract, also see fig4 elements 43 and 44). 
Thus it would have been obvious to one of ordinary skill in the art to 
incorporate the teachings of Kalyan into [Applicants' Background] to 
formulate and solve metric equations defining one or more assets of 
the organization since doing so would provide answers to business 
organizational questions in a more efficient and systematic way. 

(Office Action, page 3.) However, although Kalyan discloses various details of valuing resources, 

Kalyan fails to teach or suggest at least these recitations of independent claims 1,9, 17 and 24. 

The Abstract of Kalyan states: 

A method of valuing resources of an asset intensive 
manufacturer. Calculations provide a MAV for each resource 
(machine) for each time horizon. The inputs for the calculations 
include the prices of products made by the resource, probalistic 
demand for the products, usage of the resource by various products, 
and availability of the resource. A series of equations, one equation 
associated with each resource, is formulated and solved, using 
lagrangian methods, with lagrangian multipliers representing resource 
values. 

(Kalyan, Abstract.) Additionally, elements 43 and 44 of Fig. 4, also cited by the Examiner, are 
labeled "SET UP Nr EQUATIONS EACH WITH ONLY ONE VARIABLE, THE 
CORRESPONDING X" and "SOLVE EACH EQUATION USING A BINARY TREE TO 

CONVERGE TO A NEW X FOR EACH EQUATION." (Kalyan, Fig. 4.) In sum, the cited 
sections of Kalyan disclose at most valuing products and resources with one equation per resource , 
not per criterion. Indeed, as Kalyan discloses "one equation associated with each resource," Kalyan 
in fact teaches away from "formulating one or more metric equations for each identified criterion" 
to the extent that "each identified criterion" may potentially require more than "one equation 
associated with each resource." 

Moreover, the differences between Kalyan and claims 1,9, 17, and 24 fiirther can be seen in 
context, at least because the modeling in Kalyan is for the purpose of "valuing resources used to 
manufacture products" (e.g. Kalyan, col. 1 , lines 43-45), without regard to "at least one criterion 
defining a security objective of the organization." 
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As a result, Kalyan fails to disclose "formulating one or more metric equations for each 
identified criterion." In contrast, Kalyan teaches "one equation associated with each resource," not 
equations associated with criteria, let alone "each identified criterion" as recited by claims 1,9, 17, 
and 24. (Emphasis added.) Therefore, Kalyan clearly fails to teach or suggest "formulating one or 
more metric equations for each identified criterion." For similar reasons, Kalyan fails to teach or 
suggest "to formulate one or more metric equations for each identified criterion." Thus, the 
rejections of claims 1,9, 17, and 24, and the claims depending therefrom, should be withdrawn. 

B. Dependent Claims 2-8, 10-16, 18-23, and 25-31 

All dependent claims depend either directly or indirectly from claims 1,9, 17, or 24. 
Therefore, claims 2-8, 10-16, 18-23, and 25-31 are in condition for allowance at least because they 
are dependent from one of independent claims 1,9, 17, or 24. Nevertheless, these dependent claims 
also recite independently patentable subject matter, discussed below. 

1. Claims 4, 12, 19, and 27 

Dependent claims 4, 12, 19, and 27 further recite in part "wherein the plurality of assets are 
defined to be one of a user type, a user population type, a data type and a network type in addition to 
the electronic type and the location type, wherein the user type relates to an individual user and the 
user population type relates to a group of users." The Examiner alleged that the "Inventory and 
definition" section of Applicants' Background teaches this recitation. (Office Action, pages 3-4.) 
However, Applicants' Background says nothing at all about "the plurality of assets are defined to be 
one of a user type, a user population type, a data type and a network type in addition to the 
electronic type and the location type, wherein the user type relates to an individual user and the user 
population type relates to a group of users." Therefore, Applicants' Background fails to teach or 
suggest at least this recitation of dependent claims 4, 12, 19, and 27. 

Applicants' Background states that an "organization determines its assets (e.g., electronic 
devices, electronically stored data, etc.) that are involved in support of critical processes." 
(Applicants' Background: page 4, lines 11-13.). Applicants' Background says nothing at all about 
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"the plurality of assets are defined to be one of a user type, a user population type, a data type and a 
network type in addition to the electronic type and the location type, wherein the user type relates to 
an individual user and the user population type relates to a group of users." In fact. Applicants' 
Background makes no mention of "a user type, a user population type, a data type, [or] a network 
type." 

Because Applicants' Background fails to teach or suggest "wherein the plurality of assets are 
defined to be one of a user type, a user population type, a data type and a network type in addition to 
the electronic type and the location type, wherein the user type relates to an individual user and the 
user population tj^e relates to a group of users," the rejections of claims 4, 12, 19, and 27, and the 
claims that depend therefi'om, should be withdrawn. 

2. Claims 5, 13, 20, and 28 

Dependent claims 5, 13 and 28 further recite in part "establishing at least one relationship 
between the plurality of assets." Dependent claim 20 further recites in part "to establish at least one 
relationship between the plurality of assets." The Examiner stated that Applicants' Background 
does not explicitly disclose these recitations, and cited Norton to compensate for the acknowledged 
deficiency of Applicants' Background. (Office Action, page 5.) However, Norton says nothing at 
all about "establishing at least one relationship between the plurality of assets." Therefore, Norton 
fails to teach or suggest at least these recitations of dependent claims 5, 13, 20, and 28. 

The Examiner alleged that Norton teaches these recitations on page 4, paragraphs 85-90. 
(Office Action, page 5.) At most, Norton discloses a variety of "asset search options" that "enables 
a user not only to search for an asset, but also to view a range of detailed information about the 
selected asset." (Norton: page 4, paragraphs 85-87.) Norton further discloses that "The Asset tab 
70 displays detailed asset information for the asset selected," and that such information may include 
the asset's serial number, tracking number, purchase order, manufacturer, model number, etc. 
(Norton: pages 4-5, paragraphs 88-93.) 
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Norton not only fails to disclose "establishing at least one relationship between the plurality 
of assets," but actually makes no mention of this recitation at all. Because Norton fails to teach or 
suggest "establishing at least one relationship between the plurality of assets," the rejections of 
claims 5 13, and 28, and the claims that depend therefrom, should be withdrawn. For similar 
reasons, the rejection of claim 20, and the claims depending therefrom, should be withdrawn. 

3. Claims 6, 14, 21, and 29 

Dependent claims 6, 14, and 29 fiirther recite in part "linking a first asset defined to be in 
one asset tj^e with a second asset defined to be in another asset type." Dependent claim 21 further 
recites in part "to link a first asset defined to be in one asset type with a second asset defined to be 
in another asset type." The Examiner stated that Applicants' Background does not explicitly 
disclose these recitations, and cited Norton to compensate for the acknowledged deficiency of 
Applicants' Background. (Office Action, page 5.) However, Norton says nothing at all about 
"linking a first asset defined to be in one asset type with a second asset defined to be in another 
asset type." Therefore, Norton fails to teach or suggest at least these recitations of dependent claims 
6, 14, 21, and 29. 

Again, the Examiner alleged that Norton teaches these recitations on page 4, paragraphs 85- 
90. (Office Action, page 5.) At most, Norton discloses a variety of "asset search options" that 
allow a user to search for an asset, and view detailed information about a selected asset. (Norton: 
page 4, paragraphs 85-87.) 

Norton fails to disclose "linking a first asset defined to be in one asset type with a second 
asset defined to be in another asset type," and actually makes no mention of this recitation at all. 
Because Norton fails to teach or suggest "linking a first asset defined to be in one asset type with a 
second asset defined to be in another asset type," the rejections of claims 6, 14, and 29, and the 
claims that depend therefrom, should be withdrawn. For similar reasons, the rejection of claim 21, 
and the claims depending therefrom, should be withdrawn. 
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4. Claims 7, 15, 22, and 30 

Dependent claims 7, 15, and 30 further recite in part "linking a first asset defined to be in 
one asset type with a second asset defined to be in the same asset type." Dependent claim 22 further 
recites in part "to link a first asset defined to be in one asset type with a second asset defined to be 
in the same asset type." The Examiner stated that Applicants' Background does not explicitly 

disclose these recitations, and cited Norton to compensate for the acknowledged deficiency of 
Applicants' Background. (Office Action, page 5.) However, Norton says nothing at all about 
"linking a first asset defined to be in one asset type with a second asset defined to be in the same 
asset typQ." Therefore, Norton fails to teach or suggest at least these recitations of dependent claims 
7, 15, 22, and 30. 

Again, the Examiner alleged that Norton teaches these recitations on page 4, paragraphs 85- 
90. (Office Action, page 5.) At most, Norton discloses a variety of "asset search options" that 
allow a user to search for an asset, and view detailed information about a selected asset. (Norton: 
page 4, paragraphs 85-87.) 

Norton fails to disclose "linking a first asset defined to be in one asset type with a second 
asset defined to be in the same asset type," and actually makes no mention of this recitation at all. 
Because Norton fails to teach or suggest "linking a first asset defined to be in one asset type with a 
second asset defined to be in the same asset type," the rejections of claims 7, 15, and 30, and the 
claims that depend therefrom, should be withdrawn. For similar reasons, the rejection of claim 22, 
and the claims depending therefrom, should be withdrawn. 
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CONCLUSION 

In view of the above amendment, Applicants believe the pending application is in condition 
for allowance. 

Applicants believe no fee is due with this response. However, if a fee is due, please charge 
our Deposit Account No. 18-0013, under Order No. 65632-0525 from which the undersigned is 
authorized to draw. To the extent necessary, a petition for extension of time imder 37 C.F.R. § 1.136 
is hereby made, the fee for which should be charged to this deposit account. 

Dated: April 8, 2008 Respectfully submitted. 

Electronic signature: /Michael B. Stewart/ 
Michael B. Stewart 

Registration No.: 36,018 
RADER, FISHMAN & GRAUER PLLC 
Correspondence Customer Number: 25537 
Attomey for Applicant 
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